使用脚本一键部署堡垒机 | Word Count: 1.7k | Reading Time: 8mins | Post Views:
部门领导要求研究一下堡垒机的使用,所以花了两天时间研究了一下开源堡垒机的部署和使用。因为官方文档中有些已经有了部分错误,现在以官方的CentOS8版本的安装文档为蓝本把部署过程以脚本的形式备份一下。 其中,主要的变化是使用了官方源的nginx、修改了python安装的几个组件的版本、部署了堡垒机jms服务、koko服务和guacamole服务的systemd自启动脚本。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 # !/bin/bash # 2020.01.15 # sujx@live.cn # 安装依赖包 yum update -y yum -y install wget gcc epel-release git telnet openssh-clients dnf-utils vim yum update -y # 下载 Jumpserver cd /opt/ git clone --depth=1 https://github.com/jumpserver/jumpserver.git # 防火墙 与 selinux 设置说明, 如果已经关闭了 防火墙 和 Selinux 的用户请跳过设置 systemctl start firewalld # nginx 端口 firewall-cmd --zone=public --add-service=http --permanent # 用户SSH登录端口 koko firewall-cmd --zone=public --add-port=2222/tcp --permanent # 重新载入规则 firewall-cmd --reload # SElinux配置 setsebool -P httpd_can_network_connect 1 # 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke yum -y install redis systemctl enable redis --now # 安装 MySQL, 如果不使用 Mysql 可以跳过相关 Mysql 安装和配置, 支持sqlite3, mysql, postgres等 yum -y install mariadb mariadb-devel mariadb-server sshpass systemctl enable mariadb --now # 创建数据库 Jumpserver 并授权 DB_PASSWORD=`cat /dev/urandom tr -dc A-Za-z0-9 head -c 24` # 生成随机数据库密码 cat >~/passwd.txt<<EOF 数据库密码是 $DB_PASSWORD EOF mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;" # 安装 Nginx, 用作代理服务器整合 Jumpserver 与各个组件 yum -y install nginx systemctl enable nginx --now # 安装 Python3.6 yum -y install python36 python36-devel yum -y install krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel openldap-devel libffi-devel openldap-clients # 安装 Python 库依赖 # 配置使用华为python源 mkdir ~/.pip cat >~/.pip/pip.conf<<EOF [global] index-url = https://mirrors.huaweicloud.com/repository/pypi/simple trusted-host = mirrors.huaweicloud.com timeout = 120 EOF # 配置并载入 Python3 虚拟环境 cd /opt # py3 为虚拟环境名称, 可自定义 python3 -m venv py3 # 退出虚拟环境可以使用 deactivate 命令 source /opt/py3/bin/activate pip install wheel setuptools pip install pip --upgrade pip install python-gssapi # 修改依赖包版本 sed -i "s/Django==2.1.11/Django==2.2/g" /opt/jumpserver/requirements/requirements.txt sed -i "s/cryptography==2.3.1/cryptography==2.7/g" /opt/jumpserver/requirements/requirements.txt sed -i "s/pyasn1==0.4.2/pyasn1==0.4.6/g" /opt/jumpserver/requirements/requirements.txt pip install -r /opt/jumpserver/requirements/requirements.txt # 修改 Jumpserver 配置文件 cd /opt/jumpserver cp config_example.yml config.yml # 生成随机SECRET_KEY SECRET_KEY=`cat /dev/urandom tr -dc A-Za-z0-9 head -c 50` echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc # 生成随机BOOTSTRAP_TOKEN BOOTSTRAP_TOKEN=`cat /dev/urandom tr -dc A-Za-z0-9 head -c 16` echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml echo -e "SECRET_KEY是 $SECRET_KEY" >> ~/passwd.txt echo -e "BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN" >> ~/passwd.txt # 退出虚拟环境可以使用 deactivate 命令 # 运行 Jumpserver # cd /opt/jumpserver# ./jms start -d # 新版本更新了运行脚本, 使用方式./jms startstopstatus all 后台运行请添加 -d 参数 cat >/usr/lib/systemd/system/jms.service<<EOF [Unit] Description=jms After=network.target mariadb.service redis.service Wants=mariadb.service redis.service [Service] Type=forking Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" ExecStart=/opt/jumpserver/jms start -d ExecReload= ExecStop=/opt/jumpserver/jms stop [Install] WantedBy=multi-user.target EOF systemctl enable jms.service --now # 安装 podman 部署 koko 与 guacamole yum install -y podman-docker alias docker=podman echo "alias docker=podman" >> ~/.bashrc # 配置 podman 镜像源 sed -i "s/registry.redhat.io/dockerhub.azk8s.cn/g" /etc/containers/registries.conf sed -i "s/registry.access.redhat.com/docker.mirrors.ustc.edu.cn/g" /etc/containers/registries.conf # 允许 容器ip 访问宿主 8080 端口, (容器的 ip 可以进入容器查看) firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.88.0.0/16" port protocol="tcp" port="8080" accept" firewall-cmd --reload # 10.88.0.x 是 podman 容器默认的IP池, 这里偷懒直接授权ip段了, 可以根据实际情况单独授权IP # 获取当前服务器 IP Server_IP=`ip addr grep 'state UP' -A2 grep inet egrep -v '(127.0.0.1inet6docker)' awk '{print $2}' tr -d "addr:" head -n 1 cut -d / -f1` echo -e "服务器IP是 $Server_IP" >> ~/passwd.txt # http://<Jumpserver_url> 指向 jumpserver 的服务端口, 如 http://192.168.244.144:8080 # BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.6 docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.6 # 配置KOKO自启动 cat > /usr/lib/systemd/system/koko.service << EOF [Unit] Description=Podman JMS_koko Service After=network.target After=network-online.target [Service] Type=simple ExecStart=/usr/bin/podman start -a jms_koko ExecStop=/usr/bin/podman stop -t 10 jms_koko Restart=always [Install] WantedBy=multi-user.target EOF systemctl enable koko.service # 配置guacamole自启动 cat > /usr/lib/systemd/system/guacamole.service << EOF [Unit] Description=Podman JMS_guacamole Service After=network.target After=network-online.target [Service] Type=simple ExecStart=/usr/bin/podman start -a jms_guacamole ExecStop=/usr/bin/podman stop -t 10 jms_guacamole Restart=always [Install] WantedBy=multi-user.target EOF systemctl enable guacamole.service # 安装 Web Terminal 前端: Luna 需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压, 不需要编译 cd /opt # wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz # 如果网络有问题导致下载无法完成可以使用下面地址 wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gz tar xvzf luna.tar.gz chown -R root:root luna # 配置 Nginx 整合各组件 rm -rf /etc/nginx/conf.d/default.conf cp /etc/nginx/nginx.conf /etc/nginx.conf.bak sed -i "38,58d" /etc/nginx/nginx.conf cat > /etc/nginx/conf.d/jumpserver.conf << "EOF" server { listen 80; # server_name _; client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /koko/ { proxy_pass http://localhost:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /ws/ { proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } } EOF # 确保配置没有问题, 有问题请先解决 nginx -t systemctl restart nginx
然后网页访问主机地址.
另外,脚本的下载地址如下: jumpserver安装脚本
